2025.12.3
2026.1.1
2026.2.1
CVE-2026-26077 affects Discourse, an open-source discussion platform. This vulnerability allows unauthenticated attackers to forge webhook payloads, potentially leading to inflated user bounce scores and the disabling of legitimate user emails. The issue impacts versions 2025.12.2 and earlier, 2026.1.1 and earlier, and 2026.2.0 and earlier. A fix is available in version 2026.2.0.
The core impact of CVE-2026-26077 lies in the ability of an attacker to manipulate Discourse's webhook system. Webhooks are used to send notifications to external services (like email providers) when certain events occur within Discourse. By forging these webhook payloads without authentication, an attacker can artificially inflate a user's bounce rate. This can trigger Discourse's anti-spam measures, leading to legitimate user emails being blocked or disabled. The Mailpace endpoint presented an even greater risk, lacking any token validation whatsoever, making exploitation trivial. This vulnerability could disrupt communication and negatively impact user experience.
CVE-2026-26077 was publicly disclosed on February 26, 2026. There is currently no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept exploits. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively low complexity of exploitation (lack of authentication), it's prudent to apply the patch promptly.
Discourse installations utilizing external email services via webhooks are at risk. This includes organizations relying on Discourse for community forums, online learning platforms, or any application integrating with email marketing or notification services. Shared hosting environments running Discourse are particularly vulnerable, as misconfigurations on one instance could potentially impact others.
• linux / server:
journalctl -u discourse -g 'webhook' | grep -i 'error'• generic web:
curl -I https://your-discourse-instance.com/webhooks/sendgrid/endpoint | grep -i '401 unauthorized'• discourse: Check Discourse admin panel for webhook token configuration. Ensure tokens are enabled and not empty for all endpoints.
disclosure
漏洞利用状态
EPSS
0.07% (21% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-26077 is to upgrade Discourse to version 2026.2.0 or later, which includes the necessary authentication checks. If an immediate upgrade is not feasible, consider temporarily disabling the vulnerable webhook endpoints (SendGrid, Mailjet, Mandrill, Postmark, SparkPost) within the Discourse admin panel. Review your Discourse configuration to ensure that webhook tokens are properly configured and enforced. Monitor your Discourse logs for suspicious webhook activity, particularly unusual spikes in bounce rates or unauthorized requests to these endpoints. After upgrading, confirm the fix by attempting to manually trigger a webhook payload without proper authentication; it should be rejected.
升级 Discourse 到 2025.12.2、2026.1.1 或 2026.2.0 或更高版本。或者,配置网站设置中所有电子邮件提供商集成的身份验证 token(例如,`sendgrid_verification_key`、`mailjet_webhook_token`、`postmark_webhook_token`、`sparkpost_webhook_token`)。在获得此修复之前,Mailpace 没有可用的规避方法。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-26077 is a vulnerability in Discourse allowing unauthenticated attackers to forge webhook payloads, potentially disabling user emails. It affects versions ≤ 2026.2.0 and < 2026.2.0.
You are affected if you are running Discourse versions 2025.12.2 and earlier, 2026.1.1 and earlier, or 2026.2.0 and earlier, and are using webhooks.
Upgrade Discourse to version 2026.2.0 or later. As a temporary workaround, disable vulnerable webhook endpoints in the admin panel.
There is currently no evidence of active exploitation in the wild or publicly available proof-of-concept exploits.
Refer to the official Discourse security advisory on their website: [https://github.com/discourse/discourse/security/advisories/GHSA-xxxx-xxxx-xxxx](https://github.com/discourse/discourse/security/advisories/GHSA-xxxx-xxxx-xxxx) (replace with actual URL)